diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-09-03 17:39:50 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-09-03 17:39:50 +0000 |
| commit | 3e76c60f9f08b5f9f78d8e266d0109c85405c06f (patch) | |
| tree | 27a0caf5648505feb1c4f68e3997efb0128ad35f /src/plugins | |
| parent | 97f31cbe81b3b0f795b0e16837bd83f2adcc9e88 (diff) | |
| download | krb5-3e76c60f9f08b5f9f78d8e266d0109c85405c06f.tar.gz krb5-3e76c60f9f08b5f9f78d8e266d0109c85405c06f.tar.xz krb5-3e76c60f9f08b5f9f78d8e266d0109c85405c06f.zip | |
Supply LDAP service principal aliases to non-referrals clients
In the LDAP back end, return aliases when the CLIENT_REFERRALS_ONLY
flag isn't set (abusing that flag to recognize a client name lookup).
Based on a patch from Luke Howard.
ticket: 6556
target_version: 1.7
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22708 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 14d029c45..03c3da48d 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -69,6 +69,30 @@ berval2tl_data(struct berval *in, krb5_tl_data **out) return 0; } +/* Return true if it's okay to return aliases according to flags. */ +static krb5_boolean +aliases_ok(unsigned int flags) +{ + /* + * The current DAL does not have a flag to indicate whether + * aliases are okay. For service name lookups (AS or TGT path), + * we can always return aliases. For client name lookups, we can + * only return aliases if the client passed the canonicalize flag. + * We abuse the CLIENT_REFERRALS_ONLY flag to detect client name + * lookups. + * + * This method has the side effect of permitting aliases for + * lookups by administrative interfaces (e.g. kadmin). Since we + * don't have explicit admin support for aliases yet, this is + * okay. + */ + if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) + return TRUE; + if (flags & KRB5_KDB_FLAG_CANONICALIZE) + return TRUE; + return FALSE; +} + /* * look up a principal in the directory. */ @@ -160,7 +184,7 @@ krb5_ldap_get_principal(context, searchfor, flags, entries, nentries, more) if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ - if (flags & KRB5_KDB_FLAG_CANONICALIZE) { + if (aliases_ok(flags)) { st = krb5_ldap_parse_principal_name(values[0], &cname); if (st != 0) goto cleanup; |